If the signature verification is successful, Alice generates her own signature sigA(h(gα|gβ)), encrypts it using the shared secret key K, and sends the result to Bob. Analogous to Alice, Bob decrypts the received encrypted signature and verifies it using Alice’s public key. If this verification is successful, the protocol is finished and Alice and Bob share an authenticated secret key K.
In Figure 7.5, you should easily spot that the security of the STS protocol relies on the inability of Eve to determine the random exponent α from gα or β from gβ. As a result, the security of the STS protocol relies on the intractibility of the discrete logarithm problem.
In terms of cryptographic assurances, after Bob responds with his message, he has established a shared secret key with the other communicating party. However, Bob cannot know whether the other party is indeed Alice or an imposter – Mallory or Eve.
Luckily, Bob can rely on some trusted source in obtaining Alice’s public key. Bob is therefore able to verify a digital signature generated by Alice. In her response, eK(sigA(h(gα|gβ))), Alice signs the exponentials gα and gβ, which are unique for this protocol run, with – and this is very important from the cryptographic perspective – the exponential gβ generated by Bob. In this way, Alice’s signature sigA(h(gα|gβ)) is tied to that specific protocol run.
Moreover, by sending Bob eK(sigA(h(gα|gβ))), her signature encrypted with the shared secret key K, Alice implicitly proves to Bob that she is the communicating party who generated the random exponent α. As a result, Bob is able to verify that the party he communicated with is indeed Alice.
In a similar manner, Alice can verify that she indeed communicated with Bob while exchanging the keying material gα, gβ based on Bob’s response gβ,eK(sigB(h(gβ|gα))). Just like with Alice, Bob’s response ties his signature to the exponents and allows Alice to verify that it was Bob with whom she established the shared secret key K.
Note how STS has the desired authenticated key agreement properties discussed earlier in this section. First, STS uses fresh random challenges α, β rather than timestamps.
Second, Bob’s and Alice’s authentication is direct because they use the shared secret key K to encrypt their signatures.
Third, STS offers perfect forward secrecy – the only long-term secret keys are Alice’s and Bob’s private keys, which they use to sign the hash of the exponentials gα and gβ. If Alice’s or Bob’s private key (or both) are somehow compromised, the security of the previous STS protocol runs is not affected provided the exponents α and β are random and are not reused between protocol runs. Then, the Diffie-Hellman problem prevents Eve (and Mallory) from determining these exponents from gα and gβ, respectively.
In addition, the use of digital signatures implies that Alice and Bob do not need to contact a trusted third party, Trent, for every run of the STS protocol. In other words, once Alice and Bob have their own certificates as well as the certificate of Trent (stored in a secure memory that cannot be manipulated by Mallory), they can perform an authenticated key agreement using the STS protocol completely offline, without the need for any connectivity or additional infrastructure.
The Handshake subprotocol of TLS is currently perhaps the most widely deployed Authenticated Key Agreement (AKA) protocol.
Leave a Reply